Deploying the Elastic Stack in an Air-Gapped environment – Part 4 (Optional)

Posted byryans48e5977ed6Posted inElastic, Tech BlogTags:

Logstash – Fleet setup

Feel free to skip this post if you have no need for Logstash.

Install Logstash

On the Logstash server, navigate to the directory you copied the Logstash Deb file to and run:

#replace X.X.X with your version

sudo dpkg -i logstash-X.X.X-amd64.deb

Run the following commands to reload the systemd manager configuration, enable and start Logstash:

sudo systemct daemon-reload
sudo systemctl enable logstash
sudo systemctl start logstash

Generate Certificates

In order to secure communications between Agents, Logstash, Fleet and Elasticsearch, we’ll need to generate a few certs. We’ll do this using our ca cert and key from Part 2.

First we will generate certs for the agents.

On your Elasticsearch server run:

./bin/elasticsearch-certutil cert \
  --name client \
  --ca-cert /usr/share/elasticsearch/ca/ca.crt \
  --ca-key /usr/share/elasticsearch/ca/ca.key \
  --pem

Extract the generated zip file.

Next, we need to generate certs for Logstash itself:

./bin/elasticsearch-certutil cert \--name logstash \
--ca-cert /usr/share/elasticsearch/ca/ca.crt \
--ca-key /usr/share/elasticsearch/ca/ca.key \
--dns <your-logstash-hostname> \
--ip your-logstash-ip> \
--pem

Extract the generated zip file, Logstash requires the key to be in a different format so we’ll need to convert it, run the following command:

openssl pkcs8 -inform PEM -in logstash.key -topk8 -nocrypt -outform PEM -out logstash.pkcs8.key

Copy the cert and key to your Logstash server under /etc/logstash/certs/, you’ll also need to copy your ca.crt and http_ca.crt from your Elastic server intro the same directory

Fleet Settings

Navigate to Fleet > Settings. Under Outputs select “Add output”.

Screenshot displaying the Outputs configuration section in Logstash for sending data. It includes fields for Name, Type, Hosts, Status, Default options for Agent integrations and monitoring, and an option to add output.

Call your new output Logstash and select type – Logstash. Use the GUI to create the api key for Logstash.

Screenshot of the Logstash configuration interface for adding a new output, featuring fields for output name and type, along with additional configuration steps.

On your Logstash server, in the /etc/logstash/conf.d/ directory create a file called elastic-agent.conf and paste the config from above in. You’ll need to make a few alterations, I’ll share mine below for reference.

input {
  elastic_agent {
    port => 5044
    ssl_enabled => true
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_certificate => "/etc/logstash/certs/logstash.crt"
    ssl_key => "/etc/logstash/certs/logstash.pkcs8.key"
    ssl_client_authentication => "required"
  }
}

output {
  elasticsearch {
    hosts => "https://<your-es-ip>:9200"
    api_key => "xxxx:xxxx" # generated by fleet
    data_stream => true
    ssl => true
    cacert => "/etc/logstash/certs/http_ca.crt"
  }
}

Restart Logstash service to apply the changes

sudo systemctl restart logstash

Head back to fleet and continue adding the new output.

Under Logstash hosts, enter your Logstash IP, the port will default to 5044.

Copy and paste the contents of your ca.crt, client.crt and client.key into the relevant boxes.

Select make default (optional). This will generate an error message if you have a basic license. If it does, follow the instructions below.

User interface for adding a new output in Logstash settings, including fields for Logstash hosts, server SSL certificate authorities, and client SSL certificate details.

Error

The basic license only allows for a single fleet output. The default output is dictated by the kibana.yml file. Comment out the following line from the bottom of the file.

xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true

Restart the Kibana service.

sudo systemctl restart kibana

Update the settings in fleet, you should now be able to make it your default output.

Output Added

Under fleet settings you’ll see the additional Logstash output. Agents can now be configured to send their Logs/Metrics through Logstash instead of directly to Elasticsearch.

A table showing Logstash output settings, including the name, type, and hosts for each output: default and Logstash.

Conclusion

In this post, we walked through the full process of setting up Logstash as an output for Fleet-managed Elastic Agents — from installing Logstash and generating the necessary certificates, to configuring Fleet outputs and wiring everything together with a working Logstash pipeline.

This setup is especially valuable in environments where:

  • You need to pre-process data before it reaches Elasticsearch.
  • You require greater control over routing, filtering, or enrichment.
  • You only want a single point of contact with Elasticsearch

While not every deployment needs Logstash (and it’s perfectly fine to skip if that’s your case), having it in your toolbelt gives you additional flexibility and power when scaling or customizing your Elastic Stack deployment.

Leave a Reply

Discover more from Planned Link

Subscribe now to keep reading and get access to the full archive.

Continue reading